President Biden on Dec. 21 signed into law the SBA Cyber Awareness Act, which aims to require the Small Business Administration (SBA) to improve its cyber defenses.
The legislation obligates the SBA to develop a cyber strategy, assess the risks of foreign-sourced components that make up part of its IT systems, and submit an annual report to Congress on the agency’s cybersecurity progress.
The bill was introduced in May by Reps. Young Kim, R-Calif, and Jason Crow, D-Colo., and approved by the House on Dec. 7.
Sens. Marco Rubio, R-Fla., Jim Risch, R-Ind., and Bill Cassidy, R-La., introduced similar legislation in 2021 requiring the SBA to be more proactive in protecting data and requiring greater transparency of threats and breaches that occur.
“Thank you for Representatives Crow and Kim, and Senators Rubio, Risch, and Cassidy, and many others for your leadership,” the White House press release said.
The new bill requires the SBA to annually report specified information related to cybersecurity awareness.
According to the bill, the reports must include:
- A strategy to increase the cybersecurity of the SBA’s IT infrastructure;
- A supply chain risk management strategy that includes risk mitigation activities for IT components originating from an entity that has its principal place of business in China; and
- Any SBA cybersecurity incident that occurred during the two years prior to the initial report – including the agency’s action to respond to it.